Public bug reported: When getting an unscoped token, by authenticating against Keystone without a scope, one should be able to perform scope independant operations (when allowed to do so). For instance, an administrator should be able to manage domains, roles and possibly users, without needing to specify a scope.
Unscoped token are currently not much usefull, since they don't allow any such operation. $ curl -s -i http://localhost:5000/v3/auth/tokens \ -H "Content-Type: application/json" \ -d '{ "auth": { "identity": { "methods": ["password"], "password": { "user": { "domain": {"name": "Default"}, "name": "admin", "password": "YourPasswordHere" } } } } }' | grep ^X-Subject-Token X-Subject-Token: b8c1cd2065ce4df39cbcb6e6111f9dba $ $ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \ http://localhost:5000/v3/domains | python -m json.tool { "error": { "code": 403, "message": "You are not authorized to perform the requested action, identity:list_domains.", "title": "Forbidden" } } $ $ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \ http://localhost:5000/v3/roles | python -m json.tool { "error": { "code": 403, "message": "You are not authorized to perform the requested action, identity:list_roles.", "title": "Forbidden" } } $ $ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \ http://localhost:5000/v3/users | python -m json.tool { "error": { "code": 403, "message": "You are not authorized to perform the requested action, identity:list_users.", "title": "Forbidden" } } $ ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1264325 Title: API v3 - Unable to perform scope independant operations with unscoped token Status in OpenStack Identity (Keystone): New Bug description: When getting an unscoped token, by authenticating against Keystone without a scope, one should be able to perform scope independant operations (when allowed to do so). For instance, an administrator should be able to manage domains, roles and possibly users, without needing to specify a scope. Unscoped token are currently not much usefull, since they don't allow any such operation. $ curl -s -i http://localhost:5000/v3/auth/tokens \ -H "Content-Type: application/json" \ -d '{ "auth": { "identity": { "methods": ["password"], "password": { "user": { "domain": {"name": "Default"}, "name": "admin", "password": "YourPasswordHere" } } } } }' | grep ^X-Subject-Token X-Subject-Token: b8c1cd2065ce4df39cbcb6e6111f9dba $ $ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \ http://localhost:5000/v3/domains | python -m json.tool { "error": { "code": 403, "message": "You are not authorized to perform the requested action, identity:list_domains.", "title": "Forbidden" } } $ $ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \ http://localhost:5000/v3/roles | python -m json.tool { "error": { "code": 403, "message": "You are not authorized to perform the requested action, identity:list_roles.", "title": "Forbidden" } } $ $ curl -s -H "X-Auth-Token: b8c1cd2065ce4df39cbcb6e6111f9dba" \ http://localhost:5000/v3/users | python -m json.tool { "error": { "code": 403, "message": "You are not authorized to perform the requested action, identity:list_users.", "title": "Forbidden" } } $ To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1264325/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp